What if America’s enemies were probing the Pentagon for weaknesses, sabotaging the government’s ability to protect the country, stealing sensitive information and even planting time bombs that could cripple the country? Most of us would say America is under attack.

Whatever we call it, something not too dissimilar is happening in cyberspace, as a disparate collection of individuals, groups and foreign governments take aim at America’s information infrastructure.

Some argue that attacks in cyberspace aren’t really a threat to national security. They’re wrong. Just ask our friends in Estonia, Georgia and Israel—or consider the Pentagon’s 2008 report on China, which concluded that Beijing views cyberspace as an arena for “non-contact warfare” and aims to conduct “cyberwarfare against civilian and military networks—especially against communications and logistics nodes.”[1]

The head of the UN agency on information technology fears that “the next world war could happen in cyberspace.”[2] In fact, it may already be underway.

Rehearsals?

Estonia weathered what some call “Web War I” in 2007, when Russian nationalists unleashed a volley of “distributed denial of service” attacks that crashed networks across the country. The attacks targeted key government websites, newspapers, the mobile-phone network, the country’s 911 equivalent and the country’s largest bank.[3]

The cyber-salvos hit Estonia especially hard because the tiny Baltic country—dubbed “e-Stonia”—is one of the most web-dependent places on earth.

“It turned out to be a national security situation,” Estonian defense minister Jaak Aaviksoo later reported.[4]

That helps explain why Estonian president Toomas Hendrik Ilves has suggested that NATO may need to upgrade its 20th-century defense commitments in light of this 21st-century threat. “Cyber-attacks are a form of offensive action that can paralyze, weaken, harm a nation-state,” he argues, ominously adding, “This might be a test run for something bigger and larger.”[5]

NATO has since formed a center to help member states “defy and successfully counter” cyberattacks.[6]

A year after Estonia, Russian cyber-militiamen launched a digital invasion ahead of the Russian military’s ground invasion of Georgia,[7] crippling the websites of the foreign ministry, defense ministry and presidential office—and hijacking several government servers.[8]

In 2009, after the Israeli military struck terror targets in Gaza, hackers from the former Soviet Union, bankrolled by Hezbollah and Hamas, carried out cyberattacks against Israel. As the Israeli newspaper Haaretz reported, “The Home Front Command’s site, which instructs citizens how to protect themselves from attacks, was down for three hours.”[9]

Russia is not the only culprit.

“China is very aggressive in the cyber-world,” according to Director of National Intelligence Dennis Blair.[10]

The British Foreign Office was victimized by Chinese cyber-attacks in 2007.[11]

Germany blames hackers linked to the People’s Liberation Army (PLA) for massive cyberattacks against the chancellery and foreign ministry. One German official even used the phrase “Chinese cyberwar” in describing the attacks.[12]

In 2007, the Pentagon was forced to disable computer systems serving the Office of Secretary of Defense, after it was discovered that the PLA had hacked into the system.

The U.S.-China Economic and Security Review Commission (ESRC) reports that Chinese hackers have planted computer components with codes that could be activated to steal or destroy data; penetrated computer systems at U.S. defense firms, the White House, State Department and NASA; and attacked government ministries in Europe, Japan, India, Taiwan, South Korea, Australia and dozens of other countries.[13]

In a six-month period stretching from late 2008 through early 2009, the Pentagon spent $100 million repairing damage from cyber-attacks.[14]

Risks

In short, “America is under widespread attack in cyberspace,” as Gen. James Cartwright, vice chairman of the Joint Chiefs, reported in 2007. According to Cartwright, America’s “freedom to use cyberspace is threatened by the actions of criminals, terrorists and nations alike.”[15]

That presents a problem, because, as Gen. Kevin Chilton, commander of U.S. Strategic Command, explains, “Freedom of action in cyberspace is essential to both war fighting and our national security.”[16]

For example, the ESRC concludes that in the event of conflict, Beijing would target certain Pentagon networks “to delay U.S. deployments and impact combat effectiveness of troops already in theater.”[17]

Before scoffing at that possibility, consider this: The British government worries that utilities-network upgrades carried out by the Chinese telecom firm Huawei may have given Beijing the ability to shut down essential services, including power and water supplies.[18]

Similarly, The Wall Street Journal has reported on “pervasive” penetration of the U.S. electrical grid, whereby malicious software and sleeper switches have been implanted to allow China or Russia to disrupt service at a time of their choosing.[19]

We don’t have to imagine the impact of a grid attack. Consider the 2003 East Coast blackout, which affected 50 million people. New York, Detroit and Toronto went dark. Nine nuclear reactors were knocked offline. Six major airports were shut down. Hospitals lost power. And none of this was the result of a malicious attack.[20]

Chinese officials claim they oppose “any crime, including hacking, that destroys the Internet.”[21] Yet Beijing tacitly encourages hundreds of quasi-independent hacker teams and even trains some at Chinese military bases.[22]In fact, the Pentagon concluded in 2007 that “the PLA has established information warfare units to develop viruses to attack enemy computer systems and networks.”[23]

Former NATO commander Wesley Clark and Peter Levin, chief technology officer at the Department of Veterans Affairs, worry that Americans have succumbed to “the self-delusion that since nothing terrible has happened to the country’s IT infrastructure, nothing will.”[24]

But if the electrical grid can fail by mistake, it can happen by design. And if a military cyberattack can happen in Estonia, Georgia or Israel, it can certainly happen here.

Nervous Systems

“Maintaining freedom of action in cyberspace in the 21st century is as inherent to U.S. interests as freedom of the seas was in the 19th century, and access to air and space in the 20th century,” according to Lt. Gen. Keith Alexander, commander of the newly formed Cyber Command.[25]Yet as Cartwright has warned, “We lack dominance in cyberspace and could grow increasingly vulnerable if we do not fundamentally change how we view this battle-space.”[26]

Toward that end, Washington should borrow a page from the early days of the Cold War, when U.S. leaders helped define the rules of the road for the Atomic Age: They built a military that could fight and win in an era of nukes, ICBMs and supersonic jets; formed a web of international partnerships and alliances; developed continuity of government plans to ensure the survival of the republic; and made it clear that the U.S. would respond with “massive retaliation” in the event of war.

In the same way, a cyber-defense doctrine could help bring order to the wild frontiers of cyberspace. And as Blair has suggested, “developing codes of conduct for cyberspace” could play an important part in maintaining America’s ability to shape events.[27]

The good news is that Washington has laid the foundations for such a doctrine, albeit in a piecemeal manner.

President George W. Bush, who called cyberspace “the nervous system” of America’s critical infrastructure,[28] launched the Comprehensive National Cybersecurity Initiative. The CNCI garnered bipartisan support, committed some $30 billion to strengthening government networks, and features defensive and offensive elements.[29] Bush also initiated a series of readiness exercises under the Department of Homeland Security (DHS). These “Cyber Storm” exercises enfold the private sector, federal and state agencies, and allied governments. Cyber Storm III, scheduled for 2010, will reportedly test power grids and transportation arteries.[30]

President Barack Obama has built on his predecessor’s efforts. Declaring cyber-borne threats among “the most serious economic and national security challenges we face,” Obama created a White House office to coordinate cybersecurity. He also has launched a “cybersecurity awareness” campaign and pledged to improve coordination between and among agencies, states and the private sector “to ensure an organized and unified response to future cyber incidents.”[31]

The bad news is that “the architecture of the nation’s digital infrastructure,” according to the 2009 National Intelligence Strategy, “is neither secure nor resilient.”[32] And America’s enemies know it.

Washington is taking steps to correct this. DHS recently began hiring 1,000 new cyber-security experts. Plus, the Pentagon is standing up Cyber Command as a part of Strategic Command.

A key mission of the new command will be to deter the enemy. “Deterrence can be partially achieved through the creation and maintenance of a cyberforce capable of freely operating within cyberspace,” Alexander explains.[33]

To assist the warfighters in their deterrence mission, it may be helpful for the policymakers to let it be known that the U.S. will view a cyberattack on critical infrastructure in the same way as a traditional military attack. It’s worth noting that Russian military officials argue that “the use of information warfare against Russia or its armed forces will categorically not be considered a non-military phase of a conflict, whether there were casualties or not.”[34]

For those times when deterrence fails, the U.S. must be able and willing to go on the offensive. Alexander envisions an approach to cybersecurity that puts “defense and offense together.”[35] Chilton notes that the military “will need to fight through attacks and ensure we can continue to operate in cyberspace in at least an adequate fashion.”[36]

In addition, U.S. intelligence and law enforcement will need to trace and, where applicable, establish links between nation-states and cyberattacks emanating from their territory. Even if independent actors are responsible for a cyberattack, they still operate within a country—and governments are obligated to police what happens in their corner of cyberspace.

Washington might also consider a “no first use” pledge for cyberspace with any government that promises the same, keeping in mind that in the digital world, as in the real world, actions speak louder than words.

Finally, the U.S. should explore the feasibility of developing new redundancies—or dusting off old ones—that don’t depend on cyberspace. It pays to recall that not long ago we delivered essential services—we even defended the nation—without the Internet.

[1] DoD, Annual Report to Congress on the Military Power of the People’s Republic of China, 2008, p.21.

[2] AFP, “Threat of next world war may be in cyberspace: UN,” October 6, 2009.